b"                              SOCIAL SECURITY\n                                  Office of the Inspector General\n\n\n                                       November 7, 2011\n\n\n\n\nThe Honorable Michael J. Astrue\nCommissioner\n\n\nThe Chief Financial Officers Act of 1990 (CFO) (P.L. 101-576), as amended, requires that the\nSocial Security Administration\xe2\x80\x99s (SSA) Inspector General (IG) or an independent external\nauditor, as determined by the IG, audit SSA's financial statements in accordance with applicable\nstandards. Under a contract monitored by the Office of the Inspector General (OIG), Grant\nThornton, LLP, an independent certified public accounting firm, audited SSA's Fiscal Year (FY)\n2011 financial statements. Grant Thornton also audited the FY 2010 financial statements,\npresented in SSA\xe2\x80\x99s FY 2011 Performance and Accountability Report for comparative purposes.\nThis letter transmits the Grant Thornton Independent Auditor\xe2\x80\x99s Report on the audit of SSA\xe2\x80\x99s\nFY 2011 financial statements. Grant Thornton's Report includes the following:\n\n   \xe2\x80\xa2   Opinion on Financial Statements;\n   \xe2\x80\xa2   Report on Management's Assertion About the Effectiveness of Internal Control; and\n   \xe2\x80\xa2   Report on Compliance and Other Matters.\n\nObjective of a Financial Statement Audit\n\nThe objective of a financial statement audit is to obtain reasonable assurance about whether the\nfinancial statements are free of material misstatement. An audit includes examining, on a test\nbasis, evidence supporting the amounts and disclosures in the financial statements. An audit also\nincludes assessing the accounting principles used and significant estimates made by management\nas well as evaluating the overall financial statement presentation.\n\nGrant Thornton conducted its audit in accordance with auditing standards generally accepted in\nthe United States; Government Auditing Standards issued by the Comptroller General of the\nUnited States; and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit\nRequirements for Federal Financial Statements. The audit included obtaining an understanding\nof the internal control, testing and evaluating the design and operating effectiveness of the\ninternal control, and performing such other procedures as considered necessary under the\ncircumstances. Because of inherent limitations in any internal control, misstatements due to\nerror or fraud may occur and not be detected. The risk of fraud is inherent to many of SSA\xe2\x80\x99s\n\n\n\n\n            SOCIAL SECURITY ADMINISTRATION                BALTIMORE, MD 21235-0001\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\n\nprograms and operations, especially within the Supplemental Security Income program. In our\nopinion, people outside the organization perpetrate most of the fraud against SSA.\n\nAudit of Financial Statements, Effectiveness of Internal Control, and Compliance with\nLaws and Regulations\n\nGrant Thornton issued an unqualified opinion on SSA\xe2\x80\x99s FY 2011 and 2010 financial statements.\nGrant Thornton also reported that SSA had effective internal control over financial reporting\nbased on criteria under OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control,\nand SSA\xe2\x80\x99s financial management systems substantially complied with the requirements of the\nFederal Financial Management Improvement Act of 1996.\n\nHowever, Grant Thornton did identify three deficiencies in internal control that, when\naggregated, are considered to be a significant deficiency related to a weakness in controls over\ninformation security. Specifically, Grant Thornton\xe2\x80\x99s testing:\n\n   1. Disclosed that policies and procedures to periodically reassess the content of security\n      access profiles had not been complied with consistently throughout the Agency.\n   2. Disclosed evidence that security permissions provided to some employees and\n      contractors exceeded access required to complete their job responsibilities.\n   3. Identified configurations that increased the risk of unauthorized access to key financial\n      data and programs during our testing of various operating systems.\n\nGrant Thornton identified no reportable instances of noncompliance with the laws, regulations,\nor other matters tested.\n\nOIG Evaluation of Grant Thornton Audit Performance\n\nTo fulfill our responsibilities under the CFO Act and related legislation for ensuring the quality\nof the audit work performed, we monitored Grant Thornton\xe2\x80\x99s audit of SSA's FY 2011 financial\nstatements by\n   \xe2\x80\xa2   reviewing Grant Thornton\xe2\x80\x99s audit approach and planning;\n   \xe2\x80\xa2   evaluating its auditors qualifications and independence;\n   \xe2\x80\xa2   monitoring the progress of the audit at key points;\n   \xe2\x80\xa2   examining its workpapers related to planning the audit, assessing SSA's internal control,\n       and substantive testing;\n   \xe2\x80\xa2   reviewing Grant Thornton\xe2\x80\x99s audit report to ensure compliance with Government Auditing\n       Standards and OMB Bulletin No. 07-04;\n   \xe2\x80\xa2   coordinating the issuance of the audit report; and\n   \xe2\x80\xa2   performing other procedures we deemed necessary.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\n\nGrant Thornton is responsible for the attached auditor\xe2\x80\x99s report, dated November 7, 2011, and the\nopinions and conclusions expressed therein. The OIG is responsible for technical and\nadministrative oversight regarding Grant Thornton\xe2\x80\x99s performance under the terms of the\ncontract. Our review, as differentiated from an audit in accordance with applicable auditing\nstandards, was not intended to enable us to express, and accordingly we do not express, an\nopinion on SSA\xe2\x80\x99s financial statements, management\xe2\x80\x99s assertions about the effectiveness of its\ninternal control over financial reporting, or SSA\xe2\x80\x99s compliance with certain laws and regulations.\nHowever, our monitoring review, as qualified above, disclosed no instances where Grant\nThornton did not comply with applicable auditing standards.\n\n\n\n\n                                             Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                             Inspector General\n\nEnclosure\n\x0c                                                                                                         Enclosure\n                                                                                                        Page 1 of 5\n\n\n\n\n                                                                                                   Audit \xef\x82\x96 Tax \xef\x82\x96 Advisory\n                                                                                                   Grant Thornton LLP\n                                                                                                   333 John Carlyle Street, Suite 500\n                                                                                                   Alexandria, VA 22314-5745\n                                                                                                   T 703.837.4400\n                                                                                                   F 703.837.4455\n                                                                                                   www.GrantThornton.com\nThe Honorable Michael J. Astrue\nCommissioner\nSocial Security Administration\n\n\n                                                       Independent Auditor\xe2\x80\x99s Report\n\nIn our audit of the Social Security Administration (SSA), we found:\n\n                 \xe2\x80\xa2        The consolidated balance sheets of SSA as of September 30, 2011 and 2010, and the\n                          related consolidated statements of net cost and changes in net position, and the\n                          combined statements of budgetary resources for the years then ended, and the\n                          statements of social insurance as of January 1, 2011 and January 1, 2010 and\n                          statement of changes in social insurance amounts for the period January 1, 2010 to\n                          January 1, 2011 are presented fairly, in all material respects, in conformity with\n                          accounting principles generally accepted in the United States of America;\n\n                 \xe2\x80\xa2        Management fairly stated that SSA\xe2\x80\x99s internal control over financial reporting was\n                          operating effectively as of September 30, 2011;\n\n                 \xe2\x80\xa2        No reportable instances of noncompliance with laws, regulations, or other matters\n                          tested.\nOPINION ON FINANCIAL STATEMENTS\nWe have audited the accompanying consolidated balance sheets of SSA as of September 30,\n2011 and 2010, and the related consolidated statements of net cost and changes in net position,\nand the combined statements of budgetary resources for the years then ended, and the statements\nof social insurance as of January 1, 2011 and January 1, 2010 and statement of changes in social\ninsurance amounts for the period January 1, 2010 to January 1, 2011. These financial statements\nare the responsibility of SSA\xe2\x80\x99s management. Our responsibility is to express an opinion on these\nfinancial statements based on our audits. The statements of social insurance as of January 1,\n2009, 2008, and 2007 were audited by other auditors whose reports dated November 9, 2009 and\nNovember 7, 2008 expressed an unqualified opinion on those statements.\n\nWe conducted our audits in accordance with auditing standards generally accepted in the United\nStates of America established by the American Institute of Certified Public Accountants\n(AICPA); the standards applicable to financial audits contained in Government Auditing\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                           Enclosure\n                                                                                          Page 2 of 5\n\nStandards, issued by the Comptroller General of the United States; and Office of Management\nand Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements.\nThose standards require that we plan and perform the audit to obtain reasonable assurance about\nwhether the financial statements are free of material misstatement. An audit includes examining,\non a test basis, evidence supporting the amounts and disclosures in the financial statements. An\naudit also includes assessing the accounting principles used and significant estimates made by\nmanagement, as well as evaluating the overall financial statement presentation. We believe that\nour audits provide a reasonable basis for our opinion.\n\nIn our opinion, the financial statements referred to above and presented on pages 100 through\n132 of this Performance and Accountability Report (PAR), present fairly, in all material respects,\nthe financial position of SSA as of September 30, 2011 and 2010, and its net cost of operations,\nchanges in net position, and budgetary resources for the years then ended, and the financial\ncondition of its social insurance program as of January 1, 2011 and January 1, 2010 and changes\nin social insurance amounts for the period January 1, 2010 to January 1, 2011, in conformity with\naccounting principles generally accepted in the United States of America.\n\nAs discussed in Note 17 to the financial statements, the statements of social insurance present the\nactuarial present value of the SSA's estimated future income to be received from or on behalf of\nthe participants and estimated future expenditures to be paid to or on behalf of participants during\na projection period sufficient to illustrate long-term sustainability of the social insurance\nprogram. In preparing the statement of social insurance, management considers and selects\nassumptions and data that it believes provide a reasonable basis for the assertions in the\nstatements. However, because of the large number of factors that affect the statement of social\ninsurance and the fact that future events and circumstances cannot be known with certainty, there\nwill be differences between the estimates in the statement of social insurance and the actual\nresults, and those differences may be material.\n\nOPINION ON MANAGEMENT\xe2\x80\x99S ASSERTION ABOUT THE EFFECTIVENESS OF\nINTERNAL CONTROL\nWe have also audited management\xe2\x80\x99s assertion, included in the accompanying Federal Managers\xe2\x80\x99\nFinancial Integrity Act of 1982 (FMFIA) Assurance Statement on page 43 of this PAR, that\nSSA\xe2\x80\x99s internal control over financial reporting was operating effectively as of September 30,\n2011, based on criteria established under OMB Circular A-123, Management\xe2\x80\x99s Responsibility for\nInternal Control. We did not test all internal controls, relevant to the operating objectives\nbroadly, defined by FMFIA. SSA\xe2\x80\x99s management is responsible for maintaining effective internal\ncontrol over financial reporting and for its assertion of the operating effectiveness of internal\ncontrol over financial reporting. Our responsibility is to express an opinion on management\xe2\x80\x99s\nassertion based on our audit.\n\nWe conducted our audit in accordance with attestation standards established by the AICPA; the\nstandards applicable to financial audits contained in Government Auditing Standards, issued by\nthe Comptroller General of the United States; and OMB Bulletin No. 07-04. Those standards\nrequire that we plan and perform the audit to obtain reasonable assurance about whether effective\ninternal control over financial reporting was maintained in all material respects. Our audit\nincluded obtaining an understanding of internal control over financial reporting, assessing the\nrisk that a material weakness exists, testing and evaluating the design and operating effectiveness\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                              Enclosure\n                                                                                             Page 3 of 5\n\nof internal control based on the assessed risk, and performing such other procedures as we\nconsidered necessary in the circumstances. We believe that our audit provides a reasonable basis\nfor our opinion.\n\nAn agency\xe2\x80\x99s internal control over financial reporting is a process affected by those charged with\ngovernance, management, and other personnel, designed to provide reasonable assurance\nregarding the preparation of reliable financial statements in accordance with generally accepted\naccounting principles. An agency\xe2\x80\x99s internal control over financial reporting includes those\npolicies and procedures that ( 1 ) pertain to the maintenance of records that, in reasonable detail,\naccurately and fairly reflect the transactions and dispositions of the assets of the agency; ( 2 )\nprovide reasonable assurance that transactions are recorded as necessary to permit preparation of\nfinancial statements in accordance with generally accepted accounting principles, and that\nreceipts and expenditures of the agency are being made only in accordance with authorizations of\nmanagement and those charged with governance; and ( 3 ) provide reasonable assurance\nregarding prevention, or timely detection and correction of unauthorized acquisition, use, or\ndisposition of the agency\xe2\x80\x99s assets that could have a material effect on the financial statements.\n\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or\ndetect and correct misstatements. Also, projections of any evaluation of effectiveness to future\nperiods are subject to the risk that controls may become inadequate because of changes in\nconditions, or that the degree of compliance with the policies or procedures may deteriorate.\n\nIn our opinion, management\xe2\x80\x99s assertion that SSA\xe2\x80\x99s internal control over financial reporting was\noperating effectively as of September 30, 2011 is fairly stated, in all material respects, based on\ncriteria established under OMB Circular A-123.\n\nOther Internal Control Matters\nOur audits identified the need to improve certain internal controls, as described below and in a\nseparate, limited-distribution management letter. A deficiency in internal control over financial\nreporting exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent, or detect and\ncorrect misstatements on a timely basis. A material weakness is a deficiency, or combination of\ndeficiencies, in internal control over financial reporting, such that there is a reasonable possibility\nthat a material misstatement of the agency\xe2\x80\x99s financial statements will not be prevented, or\ndetected and corrected on a timely basis. No material weaknesses were identified.\n\nA significant deficiency is a deficiency, or a combination of deficiencies, in internal control over\nfinancial reporting that is less severe than a material weakness, yet important enough to merit\nattention by those charged with governance. Our audit was not designed to identify all\ndeficiencies in internal control over financial reporting that might be significant deficiencies. We\nidentified certain deficiencies in internal control that when aggregated are considered to be a\nsignificant deficiency, reported below.\n\nSignificant Deficiency - Weakness in Controls Over Information Security\nOur testing disclosed that policies and procedures to periodically reassess the content of security\naccess profiles had been developed but not implemented consistently throughout the Agency.\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                          Enclosure\n                                                                                         Page 4 of 5\n\nOur testing also disclosed evidence that security permissions provided to some employees and\ncontractors were in excess of access required to complete their job responsibilities. Additionally,\nwe identified configurations that increased the risk of unauthorized access to key financial data\nand programs during our testing of the operating systems and internal network.\n\nSpecific disclosure of detailed information about these exposures might further compromise\ncontrols and are therefore not provided within this report. Rather, the specific details of\nweaknesses noted are presented in a separate, limited-distribution management letter.\n\nRecommendations\nWe recommend that SSA management improve policies and procedures that require a periodic\nreview of the content of all security profiles. Management should enforce a consistent approach\nfor profile review and should retain auditable artifacts to evidence the completion of these\nreviews.\n\nWe recommend that management improve controls to test and monitor configurations on the\nmainframe and network operating system environments to identify and address inherent security\nrisks. This should include comprehensive procedures to test new software and updates to\nexisting software prior to implementation. Management should also improve procedures that\nrequire on-going monitoring of implemented configurations to identify and address security risks.\n\nMore specific recommendations focused on the individual exposures we identified are included\nin a separate limited-distribution management letter.\n\nREPORT ON COMPLIANCE AND OTHER MATTERS\nThe management of SSA is responsible for compliance with laws and regulations. As part of\nobtaining reasonable assurance about whether the basic financial statements are free of material\nmisstatement, we performed tests of compliance with laws and regulations, including laws\ngoverning the use of budgetary authority, government-wide policies and laws identified in\nAppendix E of OMB Bulletin No. 07-04, and other laws and regulations, noncompliance with\nwhich could have a direct and material effect on the financial statements. Under the Federal\nFinancial Management Improvement Act of 1996 (FFMIA), we are required to report whether\nSSA\xe2\x80\x99s financial management systems substantially comply with the Federal financial\nmanagement systems requirements, applicable Federal accounting standards, and the United\nStates Government Standard General Ledger at the transaction level. To meet this requirement,\nwe performed tests of compliance with FFMIA section 803(a) requirements.\n\nWe did not test compliance with all laws and regulations applicable to SSA. We limited our tests\nof compliance to the provisions of laws and regulations cited in the preceding paragraph of this\nreport. Providing an opinion on compliance with those provisions was not an objective of our\naudit and, accordingly, we do not express such an opinion.\n\nThe results of our test of compliance disclosed no instances of noncompliance with laws and\nregulations or other matters that are required to be reported under Government Auditing\nStandards or OMB Bulletin No. 07-04 and no instances of substantial noncompliance that\nrequired to be reported under FFMIA.\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                           Enclosure\n                                                                                          Page 5 of 5\n\nOTHER INFORMATION\nThe Management\xe2\x80\x99s Discussion and Analysis (MD&A) included on pages 5 through 46 and the\nRequired Supplementary Information (RSI) included on pages 138 through 150 of this PAR are\nnot a required part of the basic financial statements but are supplementary information required\nby the Federal Accounting Standards Advisory Board and OMB Circular A-136, Financial\nReporting Requirements. We have applied certain limited procedures, which consisted\nprincipally of inquiries of management regarding the methods of measurement and presentation\nof the MD&A and RSI. However, we did not audit the information and express no opinion on it.\n\nOur audit was conducted for the purpose of forming an opinion on the basic financial statements\ntaken as a whole. The Schedule of Budgetary Resources included on page 137 of this PAR is\nsupplementary information required by OMB Circular No. A-136, Financial Reporting\nRequirements. This schedule and the consolidating and combining information included on pages\n133 to 136 of this PAR are not a required part of the basic financial statements. Such information\nhas been subjected to the auditing procedures applied in the audit of the basic financial\nstatements and, in our opinion, is fairly stated in all material respects in relation to the basic\nfinancial statements taken as a whole.\n\nThe Commissioner\xe2\x80\x99s Message on page 1 and the other accompanying information included on\npages 2 through 4, 47 through 99 and 161 to the end of this PAR, is presented for purposes of\nadditional analysis and is not a required part of the basic financial statements. Such information\nhas not been subjected to the auditing procedures applied in the audit of the basic financial\nstatements, and accordingly, we express no opinion on it.\n\nOur report is intended solely for the information and use of management of SSA, the Office of\nthe Inspector General, the OMB, the Government Accountability Office, and Congress and is not\nintended to be and should not be used by anyone other than these specified parties.\n\n\n\n\nAlexandria, Virginia\nNovember 7, 2011\n\n\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c"